CWE-799
Allowed-with-ReviewImproper Control of Interaction Frequency
Abstraction: Class · Status: Incomplete
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
108 vulnerabilities reference this CWE, most recent first.
GHSA-GRW6-P9QM-QMX4
Vulnerability from github – Published: 2023-05-31 15:30 – Updated: 2024-04-04 04:26A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.
{
"affected": [],
"aliases": [
"CVE-2023-2758"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-31T15:15:09Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.",
"id": "GHSA-grw6-p9qm-qmx4",
"modified": "2024-04-04T04:26:10Z",
"published": "2023-05-31T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2758"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2023-21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HQHF-C9CF-W4QM
Vulnerability from github – Published: 2024-10-10 00:31 – Updated: 2024-10-11 21:31The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.
{
"affected": [],
"aliases": [
"CVE-2024-48942"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-10T00:15:02Z",
"severity": "MODERATE"
},
"details": "The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.",
"id": "GHSA-hqhf-c9cf-w4qm",
"modified": "2024-10-11T21:31:34Z",
"published": "2024-10-10T00:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48942"
},
{
"type": "WEB",
"url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/3236560898/2024-09-16+-+Secure+Login+security+advisory+-+Insecure+default+configuration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HV59-832H-F7J8
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-04-23 21:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.
{
"affected": [],
"aliases": [
"CVE-2021-37191"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.",
"id": "GHSA-hv59-832h-f7j8",
"modified": "2025-04-23T21:30:29Z",
"published": "2022-05-24T19:14:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37191"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-334944.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MF69-R24Q-GHHR
Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:59Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.
Original Description
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2026.2.26"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:59:20Z",
"nvd_published_at": "2026-04-23T22:16:41Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.",
"id": "GHSA-mf69-r24q-ghhr",
"modified": "2026-05-04T21:59:20Z",
"published": "2026-04-24T00:31:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account",
"withdrawn": "2026-05-04T21:59:20Z"
}
GHSA-P77M-F595-QX5V
Vulnerability from github – Published: 2023-07-12 15:30 – Updated: 2024-04-04 06:04In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
{
"affected": [],
"aliases": [
"CVE-2023-38068"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T13:15:09Z",
"severity": "HIGH"
},
"details": "In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms",
"id": "GHSA-p77m-f595-qx5v",
"modified": "2024-04-04T06:04:11Z",
"published": "2023-07-12T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38068"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PW23-46F3-853X
Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-05-20 18:30OpenFlow discovery protocol can exhaust resources because it is not rate limited
{
"affected": [],
"aliases": [
"CVE-2025-48016"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T16:15:35Z",
"severity": "MODERATE"
},
"details": "OpenFlow discovery protocol can exhaust resources because it is not rate limited",
"id": "GHSA-pw23-46f3-853x",
"modified": "2025-05-20T18:30:57Z",
"published": "2025-05-20T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48016"
},
{
"type": "WEB",
"url": "https://selinc.com/products/software/latest-software-versions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QCC3-JQWP-5VH2
Vulnerability from github – Published: 2026-04-02 21:01 – Updated: 2026-05-06 23:24Summary
LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
Current Maintainer Triage
- Status: open
- Normalized severity: low
- Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
57c47d8c7fbf5a2e70cc4dec2380977968903cad— 2026-03-31T19:34:25+09:00
OpenClaw thanks @nexrin for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41343"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T21:01:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nLINE webhook handler lacks shared pre-auth concurrency budget before signature verification\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `57c47d8c7fbf5a2e70cc4dec2380977968903cad` \u2014 2026-03-31T19:34:25+09:00\n\nOpenClaw thanks @nexrin for reporting.",
"id": "GHSA-qcc3-jqwp-5vh2",
"modified": "2026-05-06T23:24:58Z",
"published": "2026-04-02T21:01:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41343"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification"
}
GHSA-QRF6-H5FC-7M96
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-10-22 19:47An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-11069"
],
"database_specific": {
"cwe_ids": [
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:47:35Z",
"nvd_published_at": "2020-06-19T20:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.",
"id": "GHSA-qrf6-h5fc-7m96",
"modified": "2025-10-22T19:47:35Z",
"published": "2022-05-24T17:21:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11069"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/c976c2881ce5e34febac8a9850a6bad5d728625e"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Server does not enforce rate limits on password change attempts"
}
GHSA-R37H-J483-CJJM
Vulnerability from github – Published: 2021-06-01 21:38 – Updated: 2021-06-04 18:50Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phanan/koel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33563"
],
"database_specific": {
"cwe_ids": [
"CWE-799",
"CWE-916"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-01T20:37:37Z",
"nvd_published_at": "2021-05-24T23:15:00Z",
"severity": "HIGH"
},
"details": "Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.",
"id": "GHSA-r37h-j483-cjjm",
"modified": "2021-06-04T18:50:20Z",
"published": "2021-06-01T21:38:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33563"
},
{
"type": "WEB",
"url": "https://github.com/koel/koel/releases/tag/v5.1.4"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1-other-koel/koel"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper rate limiting in Koel"
}
GHSA-RCJQ-RRM8-5G33
Vulnerability from github – Published: 2024-06-04 09:30 – Updated: 2025-04-03 00:31Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.
{
"affected": [],
"aliases": [
"CVE-2023-40332"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T08:15:09Z",
"severity": "MODERATE"
},
"details": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.",
"id": "GHSA-rcjq-rrm8-5g33",
"modified": "2025-04-03T00:31:30Z",
"published": "2024-06-04T09:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40332"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.